<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<!--#include file="../Include/Conn.asp" -->
<!--#include file="seeion.asp"--> 
<!--#include file="page.asp" -->
<%
call chkAdmin("|6")
URL= Request.ServerVariables("URL")
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Sql防注入管理</title>
<link href="images/style.css" type="text/css" rel="stylesheet" />
<script language="JavaScript">
<!--
function CheckAll(form)  {
  for (var i=0;i<form.elements.length;i++)    {
    var e = form.elements[i];
    if (e.name != 'chkall')    e.checked = form.chkall.checked; 
   }
  }
//-->
</script> 
<%if request.querystring("action")="admin" then%>
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
  <tr>
    <td height="30" class="topnav"><div>SQL注入管理</div> </td>
  </tr>
  <tr>
    <td bgcolor="#FFFFFF"><table width="100%" border="0" align="center" cellpadding="4" cellspacing="0" class="stable">
<tr>
<td width="30" height="30" align="center" bgcolor="#F1F5F8">选择</td>
<td width="30" align="center" bgcolor="#F1F5F8">编号</td>
<td width="70" align="center" bgcolor="#F1F5F8">当前状态</td>
<td width="70" align="center" bgcolor="#F1F5F8">是否锁定</td>
<td width="200" align="center" bgcolor="#F1F5F8">攻击ＩＰ</td>
<td width="200" align="center" bgcolor="#F1F5F8">操作页面</td>
<td width="180" align="center" bgcolor="#F1F5F8">操作时间</td>
<td width="80" align="center" bgcolor="#F1F5F8">提交方式</td>
<td width="80" align="center" bgcolor="#F1F5F8">提交参数</td>
<td align="center" bgcolor="#F1F5F8">提交数据</td>
<td width="80" align="center" bgcolor="#F1F5F8">操 作</td>
</tr>

<tr align="center" bgcolor="#FFFFFF">
<%
set rs=server.createobject("adodb.recordset")
sql="select * from SqlIn order by id desc"
rs.open sql,conn,1,1
if rs.eof and rs.bof then
response.write ("<td align=""center"" colspan=""9"">暂无注入记录...</td>")
else
rs.PageSize =20'每页记录条数
iCount=rs.RecordCount '记录总数
iPageSize=rs.PageSize
maxpage=rs.PageCount 
page=request("page")
if Not IsNumeric(page) or page="" then
page=1
else
page=cint(page)
end if
if page<1 then
page=1
elseif  page>maxpage then
page=maxpage
end if
rs.AbsolutePage=Page
if page=maxpage then
x=iCount-(maxpage-1)*iPageSize
else
x=iPageSize
end if	
for i=1 to rs.pagesize
n=n+1%>
      <form action="?del=ok" method="post" name="check" id="check">
        <tr align="center" bgcolor="#FFFFFF" height="22">
          <td class="td"><input name="ID" type="checkbox" id="ID" value="<%=rs("id")%>" /></td>
          <td class="td"><input type="text" class="inp" style="text-align:center; width:40px" value="<%=n%>" readonly="readonly"/></td>
          <td class="td">
            <%
		  if rs("Kill_ip")=true then 
			response.write "<font color='red'>已锁定</font>"
		  else
			response.write "<font color='green'>已解锁</font>"
		  end if%>
          </td>
          <td class="td">
		  <%if rs("Kill_ip")=true then 
			response.write "<a href="&URL&"?action=unlock&id="&rs("id")&" style=""color:#FF0000"">解锁IP</a>"
		  else
			response.write "<a href="&URL&"?action=lock&id="&rs("id")&" style=""color:#006600"">锁定IP</a>"
		  end if
	      %>
          </td>
          <td class="td"><%=rs("SqlIn_IP")%></td>
          <td class="td"><%=rs("SqlIn_WEB")%></td>
          <td class="td"><%=rs("SqlIn_TIME")%></td>
          <td class="td"><%=rs("SqlIn_FS")%></td>
          <td class="td"><%=rs("SqlIn_CS")%></td>
          <td class="td"><%=N_Replace(rs("SqlIn_SJ"))%></td>
          <td class="td"><input type="button" name="Submit" value="删除" onclick="javascript:if(confirm('确定删除？删除后不可恢复!')){window.location.href='?action=admin&id=<%=rs("id")%>&amp;delete=del';}else{history.go(0);}"  class="btn"/></td>
        </tr>
		<%rs.movenext 
        if rs.eof then exit for 
        next 
        end if%>
          <tr bgcolor="#FFFFFF">
           <td align="center"><input name="chkall" type="checkbox" id="chkall" value="select" onClick="CheckAll(this.form)" style="border:0" /></td>
           <td align="center">全选</td>
           <td align="center"><input type="submit" name="action" value="删除" class="btn"/></td>
          <td colspan="8"><%call PageControl(iCount,maxpage,page)%></td>
        </tr>
      </form>
    </table></td>
  </tr>
</table>
<%rs.close
set rs=nothing
end if
%>

<%if request.querystring("action")="config" then
	Set rsinfo=conn.execute("select * from sqlconfig")
	N_In		= rsinfo("N_In")
	Kill_IP		= rsinfo("Kill_IP")			
	WriteSql	= rsinfo("WriteSql")		
	alert_url	= rsinfo("alert_url")
	alert_info	= rsinfo("alert_info")
	kill_info	= rsinfo("kill_info")
	N_type		= rsinfo("N_type")
	Sec_Forms	= rsinfo("Sec_Forms")
	Sec_Form_open = rsinfo("Sec_Form_open")
	rsinfo.close
	Set rsinfo=Nothing 
%>
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
  <td height="30" class="topnav"><div>SQL防注入设置</div></td>
</tr>
<tr>
  <td bgcolor="#FFFFFF">
  <table width="100%"  border="0" cellpadding="5" cellspacing="0" class="stable" style="border-collapse:collapse;">
          <form name="form" method="post" action="<%=url%>?action=saveconfig">
       <tr>
              <td width="18%"  align="right"  class="td">需要过滤的关键字：</td>
              <td width="82%" class="td"><input name="N_In" type="text" value="<%=N_In%>" id="r_str" style=" " size="50">用&quot;|&quot;分开</td>
            </tr>
            <tr>
              <td align="right" class="td">是否记录入侵者信息：</td>
              <td class="td">
                  <select name="WriteSql" id="r_kill">
                    <option value="1" <%if WriteSql=1 Then response.write "selected"%>>是</option>
                    <option value="0" <%if WriteSql=0 Then response.write "selected"%>>否</option>
                </select></td>
            </tr>
              <tr >
              <td align="right" class="td">是否启用锁定IP：</td>
              <td class="td">
                  <select name="Kill_IP" id="r_kill">
                    <option value="1" <%if Kill_IP=1 Then response.write "selected"%>>是</option>
                    <option value="0" <%if Kill_IP=0 Then response.write "selected"%>>否</option>
                </select></td>
            </tr>
           <tr>
              <td align="right" class="td">是否启用安全页面：</td>
              <td class="td">
                  <select name="Sec_Form_open" id="r_kill">
                    <option value="1" <%if Sec_Form_open=1 Then response.write "selected"%>>是</option>
                    <option value="0" <%if Sec_Form_open=0 Then response.write "selected"%>>否</option>
                  </select> 慎用这个功能，除非你对确认此页面无需过滤，并确定对安全没影响！ </td>
            </tr>
            <tr >
              <td align="right" class="td">您认为安全的页面：</td>
              <td class="td"><input name="Sec_Forms" type="text" value="<%=Sec_Forms%>" id="r_str" style=" " size="50">用&quot;|&quot;分开</td>
            </tr>
            <tr>
              <td align="right" class="td">出错后的处理方式：</td>
              <td class="td">
                  <select name="N_type" id="r_kill">
                    <option value="1" <%if N_type=1 Then response.write "selected"%>>直接关闭网页</option>
                    <option value="2" <%if N_type=2 Then response.write "selected"%>>警告后关闭</option>
                    <option value="3" <%if N_type=3 Then response.write "selected"%>>跳转到指定页面</option>
                    <option value="4" <%if N_type=4 Then response.write "selected"%>>警告后跳转</option>
                    <option value="5" <%if N_type=5 Then response.write "selected"%>>警告后返回上页</option>
                </select></td>
            </tr>
               <tr >
              <td align="right" class="td">出错后跳转Url：</td>
              <td class="td"><input name="alert_url" type="text" value="<%=alert_url%>" id="r_str" style=" " size="30"></td>
            </tr>
            <tr>
              <td align="right" class="td">警告提示信息：</td>
              <td class="td"><textarea name="alert_info" cols="45" rows="4" readonly="readonly" id="alert_info" style=";  "><%=alert_info%></textarea> \n\n换行</td>
            </tr>
               <tr >
              <td align="right" class="td">阻止访问提示信息：</td>
              <td class="td"><textarea name="kill_info" cols="45" rows="4" readonly="readonly" id="r_err2" style=";  "><%=kill_info%></textarea>\n\n换行 </td>
            </tr>
            <tr>
              <td align="right">&nbsp;</td>
              <td><input name="enter_3" type="submit" id="enter_3" value="保存设置"  class="btn"></td>
            </tr>
          </form>
      </table>
  </td>
</tr>
</table>
<%end if%>

<%if request.querystring("action")="lock" then'解锁
id = clng(request("id"))
conn.execute("update SqlIn set Kill_ip=true where id="&id)
Response.Redirect "admin_sql.asp?action=admin"
End if

if request.querystring("action")="unlock" then'解锁
id = clng(request("id"))
conn.execute("update SqlIn set Kill_ip=False where id="&id)
Response.Redirect "admin_sql.asp?action=admin"
End if

if request("delete")="del" then
set rs=server.createobject("adodb.recordset")
id=Request.QueryString("id")
sql="select * from [SqlIn] where id="&id
rs.open sql,conn,2,3
rs.delete
rs.update
Response.Write "<script>alert('当前记录删除成功！');window.location.href='admin_sql.asp?action=admin';</script>"
end if 

if request.querystring("action")="saveconfig" then
	N_In		=replace(request.form("N_In"),"'","''")
	Kill_IP		=request.form("Kill_IP")			
	WriteSql	=request.form("WriteSql")		
	alert_url	=request.form("alert_url")
	alert_info	=request.form("alert_info")
	kill_info	=request.form("kill_info")
	N_type		=request.form("N_type")
	Sec_Forms	=request.form("Sec_Forms")
	Sec_Form_open=request.form("Sec_Form_open")
	sql="update sqlconfig set N_In='"&N_In&"',Kill_IP="&Kill_IP&",WriteSql="&WriteSql&",alert_url='"&alert_url&"',alert_info='"&alert_info&"',kill_info='"&kill_info&"',N_type="&N_type&",Sec_Forms='"&Sec_Forms&"',Sec_Form_open="&Sec_Form_open&""
	Response.Write "<script>alert('保存成功了!');window.location.href='admin_sql.asp?action=config';</script>" 
	conn.execute(sql)
	Application.Lock
	set Application("Neeao_config_info")=nothing
	Application.unlock
End if

Function N_Replace(N_urlString)
	N_urlString = Replace(N_urlString,"'","''")
    N_urlString = Replace(N_urlString, ">", "&gt;")
    N_urlString = Replace(N_urlString, "<", "&lt;")
    N_Replace = N_urlString
End Function

if Request.QueryString("del")="ok" then
if Request("id")="" then
Response.Write "<script>alert('请选择要删除的记录!');window.location.href='admin_sql.asp?action=admin';</script>" 
response.end()
end if
dim sql
sql="delete from [SqlIn] where id in ("&Request("id")&")"
conn.Execute(sql)
conn.close
set conn=nothing
Response.Write "<script>alert('批量删除成功!');window.location.href='admin_sql.asp?action=admin';</script>" 
end if
%>
